Europe’s top legal advisor has challenged the EU legislature to fix the union’s highly controversial Data Retention Directive, which compels member states to have laws that force communications providers to record and hang on to user metadata – websites visited, people called, location data and so on — for between six months and two years.
The 2006 EU directive doesn’t tell member states how to define and lay down safeguards for protecting people’s fundamental right to privacy, when transposing the directive into national law. This is largely because member states have complete control over their own national security policies, and the whole point of the Data Retention Directive is to combat terrorism and serious crime.
However, this absence of fundamental limiting principles also makes the directive illegal, according to Advocate General Pedro Cruz Villalón.
“Faithful and exhaustive map”
Noting that data retention constitutes a “serious interference with the fundamental right of citizens to privacy,” a statement (PDF) from the Court of Justice of the European Union (CJEU) read:
“The Advocate General points out, in this regard, that the use of those data may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity. There is, moreover, an increased risk that the retained data might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious. Indeed, the data are not retained by the public authorities, or even under their direct control, but by the providers of electronic communications services themselves. Nor does the Directive provide that the data must be retained in the territory of a Member State. They can therefore be accumulated at indeterminate locations in cyberspace.
“In the light of that serious interference, the Directive should, first of all, have defined the fundamental principles which were to govern the determination of the minimum guarantees for access to the data collected and retained and their use.”
The advisor added that the EU legislature “must assume its share of responsibility.” He also said the two-year upper limit for data retention – or indeed any limit from one year up — was disproportionate.
National security problem
Now, the advocate general doesn’t make rulings for the CJEU; he or she only advises the court. That means it’s still up to the CJEU to go along with that advice or not – the court needs to give a steer to national courts in Ireland and Austria, which are themselves trying to rule on lawsuits brought about by activists (the Digital Rights group in Ireland, and thousands of applicants in Austria).
However, Cruz Villalón recommended that, even if the court agrees with him and declares the directive incompatible with European privacy law, the effects of the ruling should be suspended “pending adoption by the EU legislature of the measures necessary to remedy the invalidity found to exist, but such measures must be adopted within a reasonable period.”
So there is technically a way out for those who want to keep on recording everyone’s lives. However, that’s no sure thing. Again, EU member states control their own national security policies, and it was no mistake that the legislation was left so vague when it comes to defining what the safeguards should be. Particularly now, with member states butting heads over the issue of how to react to Edward Snowden’s surveillance revelations, harmony seems a long way off.
The question now is how long the EU legislators’ “reasonable period” for fixing the directive should be. Hopefully the CJEU itself will be clearer on that point when it rules on the case at some point down the line.
Meanwhile, in France a new law allows everyone from the military to tax authorities to monitor citizens’ internet and communications metadata in real-time. I daresay that will attract the attention of EU authorities fairly swiftly.